[Snort-devel] Output plugin like Unixsock for W32
Dr. Richard W. Tibbs
tewg at ...1280...
Fri Apr 19 09:39:11 EDT 2002
In fact, I began (and completed ) such a feature in snort 1.8.4 in a
Win2000 environement. Just did this locally to allow some snorting on my
Win2K box. It works by using the loopback Ip addr. Pretty simple only
a few lines of code.
I have meant to propose doing it in 1.9 to the devel list, but I noticed
a lot of MS visual C++ project issues on the list, and was waiting for
things to settle down. Looks like they have, and
I would like to re-up on my offer.
THere are a few design decisions for a general feature such as this.
Here is an email I sent (off-list) a couple of weeks back. Maybe this
can rekindle discussion:
There are a few design decisions we should consider for 1.9.
1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?)
feature independently of -A unsock. On *nix, both would work; on win2k
only lbsock. So we would need an extra -A parm recognized. That would
be reasonably easy, but would take some more coding. Otherwise, as it
currently stands -A unsock activates a true Unix socket
(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM socket
on w2k. Might seem confusing, but documentation could certainly take
care of clarifying it, if a new command line option is to be avoided.
2) In order to prevent snort from sniffing its own socket packets (when
loopback routes to HOME_NET, or whatever iface snort is sniffing), there
needs to be a rule in snort.conf (or induced upon cmd option -A unsock)
var LOOP_BACK 127.0.0.1
var SOCK_PORT 46070 # same port as defined in snort.h
pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
Does such a rule create any IDS issues?
>Does anyone knows if a plugin like unixsock has been coded in the
>W32 environment ? I want to make a client/server application to get
>snort informations with a remote host... This plugin would output everything
>(alerts, connexions, packets etc...).
>Thanks in advance.
>Pack X Crew
>ifrance.com, l'email gratuit le plus complet de l'Internet !
>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
More information about the Snort-devel